Wazuh Alert Triage & Escalation Playbook: Wazuh + Shuffle + IRIS + Discord/Gmail
This stack integrates Wazuh (for threat detection and SIEM), Shuffle (for automation and orchestration), and DFIR-IRIS (for case management and investigation), with Discord/Gmail providing real-time notifications. Together, it enables automated alerting, enrichment, incident tracking, and collaborative response to security events.
Components Used
- Wazuh: Security Information & Event Management (SIEM) and XDR solution for threat detection.
- Shuffle: Open-Source Security Orchestration, Automation, and Response (SOAR) platform for automating workflows
- DFIR-IRIS:Open-source Digital Forensics and Incident Response (DFIR) case management platform for alert triage, evidence handling, investigation tracking, and team collaboration
- Discord/Gmail: For real-time monitoring and notifications.
Workflow Steps
1. Setup Webhook in Shuffle
- Create a new Webhook Trigger in Shuffle.
- Set the webhook name to:
Wazuh Alerts - Copy the endpoint URL of the webhook.
2. Add Webhook API in Wazuh (ossec.conf)
Add the webhook configuration to Wazuh:
<name>custom-webhookname>
<hook_url>http://<your-shuffle-ip>:3001/api/v1/webhook/<webhook-id>hook_url>
<level>1level>
<alert_format>jsonalert_format>
integration>
Start the webhook in Shuffle, then restart the Wazuh manager:
3. Log Ingestion to Shuffle
Logs from Wazuh are now sent to Shuffle via the webhook.
4. Create Repeat Trigger in Shuffle
- Add a Repeat Back to Me app in the workflow.
- Set the name to:
Repeat Alert
5. Filter Alerts
We are only concerned with alerts where level > 7.
- If alert level < 7:
Send a formatted message to Discord for visibility only:
-
Create a Discord Channel for Informational Alerts
- Open your Discord server
- Click "+" to create a new text channel (e.g.,
#wazuh-Alerts) - Go to Channel Settings - Integrations - Webhooks
- Click "New Webhook"
- Name it (e.g.,
Wazuh-SIEM-Alerts) and copy the Webhook URL
-
Send Message Payload
Use the following JSON payload in Shuffle to post via the Discord Webhook:
"content": "**[Wazuh Informational Alert]**\n\n**Level:** $repeat_alert.all_fields.rule.level\n**Rule ID:** $repeat_alert.rule_id\n**Title:** $repeat_alert.all_fields.rule.description\n**Source:** $repeat_alert.all_fields.agent.name\n**Detected IP:**$repeat_alert.all_fields.agent.ip \n**Timestamp:** $repeat_alert.timestamp\n\n_No immediate action required. Logged for visibility._"
}
- If alert level >= 7:
Continue to enrichment and case creation.
6. Map Severity with Python Script (severity map)
Create a Python script in Shuffle named severity map:
rule_level = int("{{ repeat_alert.all_fields.rule.level or 0 }}")
except Exception:
rule_level = 0
# Map to IRIS severity
if rule_level < 5:
severity = 2
elif rule_level < 7:
severity = 3
elif rule_level < 10:
severity = 4
elif rule_level < 13:
severity = 5
else:
severity = 6
# IMPORTANT: Return it as `output` (Shuffle expects this)
output = {
"severity": severity
}
print(severity) # This must be returned
Note: Wazuh alerts include a severity field by default. Instead of running this script, you can directly use that value. The script above is kept here only for knowledge/reference about how severity mapping could be done manually if needed :)
7. Create Alert in IRIS
- Drag IRIS into the workflow and authenticate using a new user account's API key (not the admin account).
Use the following body to create an alert:
"alert_title":"$repeat_alert.all_fields.rule.description",
"alert_description":"Rule ID: $repeat_alert.all_fields.rule.id\nRule Level: $repeat_alert.all_fields.rule.level\nRule Description: $repeat_alert.all_fields.rule.description\nAgent ID: $repeat_alert.all_fields.agent.id\nAgent Name: $repeat_alert.all_fields.agent.name\nMITRE IDs: $repeat_alert.all_fields.rule.mitre.id\nMITRE Tactics: $repeat_alert.all_fields.rule.mitre.tactic\nMITRE Techniques: $repeat_alert.all_fields.rule.mitre.technique\nLocation: $repeat_alert.all_fields.location",
"alert_source":"Wazuh",
"alert_source_ref":"$repeat_alert.id",
"alert_source_link":"https://192.168.18.159/app/wz-home",
"alert_severity_id":$severity_map.message,
"alert_status_id":2,
"alert_note":"Rule level: $repeat_alert.all_fields.rule.level, Event ID: $repeat_alert.all_fields.data.win.system.eventID",
"alert_tags":"wazuh,$repeat_alert.all_fields.agent.name",
"alert_customer_id":1,
"alert_source_content":""
}
8. Create Case from Alert
Cases can be created either manually by analysts or automatically.
Use this body to automate case creation in IRIS:
"case_customer": $create_alert.body.data.customer.customer_id,
"case_description": "$create_alert.body.data.alert_description",
"case_name": "Wazuh - $create_alert.body.data.alert_title",
"case_soc_id": "$create_alert.body.data.alert_source_ref",
"cid": "$create_alert.body.data.alert_id"
}
9. Notify SOC via Gmail or Discord
Send alert or case summary to the SOC team via email or Discord for real-time notification.
Next Step: Enable Enrichment in IRIS
Once alerts and cases are automatically created, you can enrich IOCs using tools like VirusTotal or MISP.
Two ways to enable enrichment:
-
Via Shuffle Workflow
Use VT/MISP apps directly in your Shuffle workflow after the alert/case creation. -
Built-in IRIS Modules
- Go to IRIS - Modules
- Enable VT or MISP
- Set Auto-trigger upon IOC creation to
True - Result: Every created IOC will be automatically enriched.
Arfan Abid
LinkedIn: https://www.linkedin.com/in/arfan-abid-152217270/